OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] holder-of-key subject confirmation

I believe it depends upon the Keyinfo used by the IdP in the attribute 
assertion.   If the IdP identified C1 via specific reference (e.g. the
actual certificate itself), the RPs message should not be considered 
valid as to meeting the requirements identified by the IdP.

OTOH, if the IdP used KeyInfo/X509Data/X509SubjectName to identify the
subject name of the user and C2 had the same Subject name, presenting
the message with proof of C2's private key would be considered to meet
the requirements identified by the IdP.

Essentially, the IdP has control over what the presenting party
must do to prove to the relying party that it can present the 


> -----Original Message-----
> From: Tom Scavo [mailto:trscavo@gmail.com]
> Sent: Sunday, May 11, 2008 11:25 AM
> To: SAML Developers
> Subject: [saml-dev] holder-of-key subject confirmation
> Consider the following sequence of protocol exchanges:
> 1. A user self-queries an IdP for attributes, authenticating with an
> X.509 certificate (C1).
> 2. The IdP issues a signed attribute assertion, binding the user's
> certificate to a holder-of-key <SubjectConfirmation> element.
> 3. The user presents the signed attribute assertion to a relying
> party, authenticating with a different X.509 certificate (C2).
> If the RP can verify that the subject names in C1 and C2 are the same,
> can the RP conclude that the subject is confirmed?
> Thanks,
> Tom
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]